Thought Leadership
When the IT support team reaches out via Microsoft Teams, flags an urgent security update, and requests remote access, it sounds like routine maintenance. In reality, it may be one of the most dangerous intrusion methods targeting enterprise networks today.
A recent Microsoft report, alongside analysis from Sophos, highlights an alarming rise in attacks that turn a company’s own internal communication infrastructure against it, as reported by Bleeping Computer. At the center of these attacks is Microsoft Teams, whose external collaboration feature has become a surprisingly effective entry point for cybercriminals.
Attackers impersonate IT helpdesk staff
The strategy is as simple as it is deceptive. Attackers use so-called cross-tenant chats to contact employees while posing as members of the company’s own IT department or helpdesk. In an era where remote work and hybrid models have reduced direct personal contact with IT staff, this impersonation often goes undetected until it is too late. The attackers typically claim there is an urgent problem with a user account, a necessary security update, or a spam filter adjustment requiring immediate intervention.
Once contact is established, a nine-step attack chain begins, designed to abuse legitimate administrative tools for criminal purposes. The first goal is to convince the victim to initiate a remote maintenance session. Attackers favor Quick Assist, an official Windows application. Because this tool is familiar and trusted in corporate environments, most employees do not grow suspicious when asked to enter a security code that grants the attacker full control over their machine.
A high level of professionalism
Once access is secured, the attackers operate with the composure of professional system administrators. Using the command prompt and PowerShell, they conduct rapid network reconnaissance, check privileges, and assess the reachability of domain controllers. To establish persistent access without triggering alarm systems, they employ a technique called DLL side-loading. A small malicious code block is placed into directories such as ProgramData and then executed via a fully legitimate, digitally signed application such as Adobe Acrobat Reader, Autodesk software, or even Windows native error reporting services. From the perspective of endpoint protection, it appears as though legitimate software is running routinely, while a connection to the attackers’ command-and-control server is being established in the background.
This form of infiltration is particularly dangerous because it blends seamlessly with the normal noise of everyday IT operations. The attackers move laterally through the network using native protocols like Windows Remote Management (WinRM), targeting high-value assets and especially domain controllers to obtain broad administrative privileges. Sophos analysts have linked these tactics to the threat group GOLD ENCOUNTER, which has been associated with PayoutsKing ransomware since mid-2025. What stands out is the level of professionalism: rather than relying on automated malware, the attackers often operate manually at the keyboard, adapting in real time to the specific security architecture of each target.
Treat external Teams communication as a risk by default
For organizations, this development means that technical defenses alone are no longer sufficient. Microsoft and security service providers strongly advise treating external communication in Teams as risky by default. Administrators should tightly regulate remote maintenance tools like Quick Assist and restrict WinRM usage to dedicated management hosts. As attackers in 2026 increasingly target the human interface, continuous staff training on how to handle unsolicited help requests via chat has become the most important line of defense against these invisible intruders.
